Hashpass is a password manager which doesn't store any passwords. Instead, it generates passwords on the fly using a cryptographic hash function of the domain of the website you're visiting and a single universal password that you memorize. This gives you:
- the security of having a unique password for each website,
- the convenience of only having to memorize one password,
- the freedom from having to sync your passwords across your devices, and
- the comfort of knowing that neither you nor any cloud provider can lose your passwords.
First, you decide on a universal password. That's the only password you need to memorize, so make it a good one.
Suppose your universal password is
correcthorsebatterystaple, and you want to
sign up for or log into
example.com. Hashpass combines your universal password
with the website domain as follows:
then computes the SHA-256 hash of that
string. It hashes it again and again,
2^16 times in total. Finally, it outputs
the first 96 bits of the result, encoded as 16 characters in
Base64. For this example, the final
CqYHklMMg9/GTL0g. That's your password for
For people who know how to read computer code, the following Python script implements the Hashpass algorithm:
import base64 import getpass import hashlib domain = input('Domain: ').strip().lower() universal_password = getpass.getpass('Universal password: ') bits = (domain + '/' + universal_password).encode() for i in range(2 ** 16): bits = hashlib.sha256(bits).digest() generated_password = base64.b64encode(bits).decode()[:16] print('Domain-specific password: ' + generated_password)
You can install Hashpass from the Chrome Web Store
Then you can find the Hashpass button next to your address bar or in the
extensions dropdown. By default, you can also open Hashpass with
Cmd+Shift+P on macOS).